Global supply chains are increasingly interconnected, technology-enabled, and efficient, allowing businesses and consumers to access an unprecedented amount of goods quickly. These supply chains rely on technology to facilitate the movement of cargo and transmit data to U.S. Customs and Border Protection (CBP) for cargo clearance.
Several high-profile cyberattacks against trade entities demonstrate that supply chains can be disrupted, which may impact not only the economy, but also the efficient flow of critical products to consumers across the country. As supply-chain disrupting cyberattacks expand in complexity and frequency, CBP is committed to working with the trade community to enhance efforts to prevent and mitigate the impacts of future disruptions.
This page is a resource to help the trade community better prepare for potential cyberattacks.
What to do if You’re Experiencing a Cyberattack
If you suspect that your systems have been targeted by a cyberattack, please follow the steps below:
Contact Information
Email: cbpsoc@cbp.dhs.gov
Call: 703-921-6507
The SOC is staffed 24/7 and is the quickest way to get in touch with CBP and receive guidance following a cyberattack.
Impacted trade stakeholders should notify the SOC regardless of their trade role.
Note however that pursuant to 19 CFR 111.21(b), customs brokers must provide notification to SOC of any known breach of electronic or physical records relating to the broker's customs business. Notification must be electronically provided (cbpsoc@cbp.dhs.gov) within 72 hours of the discovery of the breach, including any known compromised importer identification numbers.
Upon notifying the SOC, be prepared to share key details about the nature of the cyberattack, including but not limited to:
- Time of incident
- Cause of incident (if known)
- Impact of incident
- Affected parties
- Exposed Personally Identifiable Information (if any)
- Any known indicators of compromise
- Location of infected site
- Incident Type (Viruses, Malware, Ransomware, Spyware, etc.)
- Containment status/information
- Information on any connection to CBP’s automated systems:
- Automated Broker Interface, Automated Manifest Systems, Automated Export Systems, and/or CBP portal.
- Identify any electronic data interchange (EDI) connection and whether it is a direct connection or via a service bureau.
- Related businesses with a CBP nexus that may or may not be impacted by this incident.
- The company or filer’s identifier, such as Filer Code, SCAC, AES Filer, portal user, etc.
- Cybersecurity POC - include name & title of contact with email address and phone number.
Establish communications with CBP Headquarters representatives in the Office of Trade (OT) and Office of Field Operations (OFO) by emailing cyberincident@cbp.dhs.gov. If a member of CTPAT, also notify your designated Supply Chain Security Specialist. CBP Headquarters representatives will schedule a regular cadence of meetings with you to assess and continuously monitor cargo and systems impacts.
Establish and maintain early and regular communications with affected Ports of Entry, Centers of Excellence, and local PGA representatives in the event that your cargo is impacted.
Impacted trade stakeholders are encouraged to notify their clients, software providers, and/or other stakeholders whose cargo or systems may also be affected by the cyberattack to mitigate supply chain disruptions.
How to Identify a Cyberattack with Indicators of Compromise
An Indicator of Compromise (IOC) is forensic evidence on a computer or network that indicates the security of the network has been breached. IOCs act as flags that cybersecurity network administrators use to detect unusual activity that usually suggests an attack is in progress. IOCs also provide insight into actors’ intent and can provide early warning signs of possible future attacks.
For more information on Indicators of Compromise, please see the IOC Reporting Guidance document.
What to do if Your Cargo is Impacted by a Cyberattack
Downtime and enforcement discretion may be authorized by CBP Headquarters on a case-by-case basis.
Downtime refers to alternative cargo release processes which are authorized based on a determination by CBP OFO. Downtime may be authorized by CBP OFO when a cybersecurity incident prevents a broker from electronically filing in the Automated Commercial Environment (ACE) the entry documentation and information required by 19 C.F.R 142.3 to secure cargo release from customs custody on behalf of the broker’s clients.
Enforcement discretion refers to a determination made by OT and OFO that CBP will not issue or enforce certain liquidated damages claims. Enforcement discretion may be authorized by CBP when a cyberattack prevents a broker from filing the entry summary documentation and information, completing the deposit of estimated duties, taxes, and fees, and/or completing timely other post-release transactions on behalf of the broker’s clients.
See Broker Cybersecurity Incident Procedures for guidance on how to request and navigate Downtime and Enforcement Discretion as well as requirements for reporting entry transactions during and after the cyberattack.